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UPSET SUSCEPTIBILITY STUDY EMPLOYING CIRCUIT ANALYSIS 
AND DIGITAL SIMULATION 


by 

Victor A. Carreno 
NASA Langley Research Center 
Hampton, Virginia 23665 


ABSTRACT 

This paper describes an approach to predicting the susceptibility of 
digital' systems to signal disturbances. Electrical disturbances on a digital 
system’s input and output lines can be induced by activities and conditions 
including static electricity, lightning discharge, Electromagnetic Interference 
(EMI) and Electromagnetic Pulsation (EMP). The electrical signal disturbances 
employed for the susceptibility study were limited to nondestructive levels, 
i.e., the system does not sustain partial or total physical damage and reset 
and/or reload will bring the system to an operational status. The front-end 
transition from the electrical disturbances to the equivalent digital signals 
was accomplished by computer-aided circuit analysis. The SCEPTRE (system for 
circuit evaluation of transient radiation effects) Program was used. Gate 
models were developed according to manufacturers' performance specifications 
and parameters resulting from construction processes characteristic of the 
technology. Digital simulation at the gate and functional level was employed 
to determine the impact of the abnormal signals on system performance and to 
study the propagation characteristics of these signals through the system 
architecture. Example results are included for an Intel 8080 processor 
configuration. 





INTRODUCTION 


The use of digital electronic systems onboard aircraft is increasing and 
these systems are eventually expected to perform flight-critical functions on 
new generation aircraft, thus creating the necessity for ultrareliable digital 
systems. Various approaches are being taken to achieve ultrareliable 
fault-tolerant systems that will survive the occurrence of component/ subsystem 
failure. A different threat to digital systems comes from internal state 
changes caused by external disturbances such as lightning. Aircraft flying in 
adverse weather conditions can be subjected to lightning discharge which will 
produce transients on system lines, data buses, etc. Work has been conducted 
to establish the interaction between the lightning produced electromagnetic 
environment and the aircraft (refs. 1, 2). This work is expected to determine 
the induced voltage energy spectrum and levels inside the aircraft as a result 
of lightning discharge and the effects of various parameters (electronic system 
location, cable length, cable type, shielding, etc.) on the induced voltages. 

The inherent characteristics of digital systems make these induced 
transients ; a major threat since, unlike analog computational systems, a 
transient on a digital system can cause a logic state change preventing the 
machine from performing as intended after the transient. In most cases after 
the machine has entered into an erroneous operation, a reset and/or reload is 
necessary bo bring it to normal operation. This erroneous operation is called 
an upset mode and no component or subsystem failure exists. 

Studies of possible changes in program flow (due to upset) and its 
relation to : program structure have been underway for several years (ref. 3) • 

The purpose of the work described in this paper is to develop a methodology 
through which the susceptibility of a digital system to induced transients can 
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be evaluated. A possible by-product is the identification of system design 
procedures that increase or decrease the vulnerability of the system to threats 
as described above. Since the susceptibility study deals with nondestructive 
transient levels, investigation and tests of component failures caused by 
excess voltage levels were performed. Upper bounds were established for 
transient voltage levels to avoid failure of the system under test. 

The study is divided into two parts: (1) translation of transients into 
digital equivalents using component-level circuit analysis by associating logic 
levels with the transient disturbance, and (2) functional level digital system 
simulation and transient injection using "digital equivalent transients" 
produced by the above circuit analysis. Figure 1 illustrates the methodology 
described in this paper. 

CIRCUIT ANALYSIS 

The waveshapes used for transient injection are shown in figure 2. These 
waveshapes are recommended by SAE subcommittee AEAL (ref. *0 for lightning 
induced transient studies. They are representative of the form of voltages and 
currents that may be present in cables in a lightning-produced electromagnetic 
environment. The waveshapes are intended for direct injection on system pins 
and lines and levels of the waveshapes are restricted to nondestructive levels. 

When analog transients are injected on digital system lines or pins they 
reach -the interfacing circuitry in the system devices. A prediction of the 
behavior of the interfacing circuitry when driven with the analog transient was 
performed by analyzing the circuitry at the component level using the SCEPTRE 
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(System for Circuit Evaluation of Transient Radiation Effects) program. 

Circuit topology is converted to an equivalent SCEPTRE circuit description to 
be used as input data for the SCEPTRE program. Transistors and diodes are 
modeled using the basic elements necessary for the SCEPTRE equivalent circuits, 
including resistors, capacitors, inductors, current, and voltage sources. 

Values for the Ebers-Moll transistor model and the diode model were obtained 
from manufacturers' data and from information of typical fabrication processes 
for monolithic integrated circuits. A family of component-level logic models 
for use in SCEPTRE analysis including gates, flip-flops, and tri-state devices, 
has been developed for this study for TTL and CMOS technology. 

A typical transient injection circuit used to generate transients coupled 
to digital devices and shown in figure 3 was designed, breadboarded, and tested 
to compare its operation with SCEPTRE analysis of the such a circuitry. The 
tank circuit is connected to the injection point through a parallel RC circuit 
for isolation. Since the injection point of the circuit under test has a 
nonlinear input impedance, the waveshape at the injection point is clipped, 

/ 

nonsinusoidal, and thus unlike the sinusoidal tank output. The SCEPTRE code 
accurately models this circuit as shown in figures *1 and 5. To achieve the 
nonclipped, SAE recommended waveshape at the injection point, an idealized 
injection circuit was defined for use with SCEPTRE in the upset susceptibility 
study. The idealized circuit is accomplished in the SCEPTRE code via a 
mathematical function and has a low impedance source, perfect switches, and 
very high frequency response. 
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Figures 6 and 7 are examples of the response of a D-type flip-flop used in 
a latch circuit to the modeled injection circuit and the idealized transient 
signal. The transient was injected on the data input line while the flip-flop 
was disabled and in a high state. In the first example, using the oscillating 
tank injection circuit, the flip-flop state was changed from a high to low 
state. In the second example, using the ideal injection source, the flip-flop 
does not experience a state change. Thus, the injected signal harmonic content 
as well as the coupling circuit have an impact on the circuit analysis results. 


SYSTEM SIMULATION 

An 8080 microprocessor-based computer system was simulated in the 
functional level simulation study. This system was chosen to provide 
comparison with a similar hardware-based study (ref. 5). Functional level 
simulation was accomplished with the General Simulation Program (GSP) (ref. 6) 
running on a CDC Cyber 170-730 computer. This program has the capability for 
16 functional models such as counters, microprocessors, latches, etc. The 
modeling is performed with a microcode instruction set. Variable propagation 
delay and internal registers can be implemented in the simulation. An example 
of a flip-flop model described with the microcode is listed in table 1. 

Figure 8 Shows the system block diagram used in the upset susceptibility 
study. An extra module was designed and added to the model system to access 
the system lines for injection purposes. The injection module is inserted in 
the line on which injection is intended. Under normal Operation, the system 
signal propagates through the injection module unaltered with no time delay. 
Therefore, this module, when disabled, is completely transparent to the 


5 



remaining modules. When the injection module is enabled, the affected line 
signal is controlled by the user running the simulation. The digital 
equivalent signal, derived from the SCEPTRE circuit analysis using the 
idealized transient signal, was used to control the affected line. State 
changes of latches at either end of the affected line are used to introduce 
logic errors into the digital signals transmitted over the line according to 
the results of the circuit analysis. 

The program executed during injection studies is in table 2. The program 

loads a byte from memory into the accumulator, stores the accumulator into 

memory and jumps to the first instruction at memory location (1000)., in a 

1 b 

continuous loop. This program exercises three of a possible ten machine cycles 

(table 3) and is intended to provide a correlation of the machine cycles with 

the upset conditions. The first set of hardware tests were performed and 

reported in reference 5 using this program. 

The program is loaded in RAM starting at memory location (lOOOj^g. When 

the simulation starts, the microprocessor is initialized equivalent to a power 

on reset. It loads and executes a jump instruction in ROM location (0000),, 

1 b 

and after 6500 nanoseconds the microprocessor starts executing the program in 
RAM address (1000),,. 

The time of the transient injection into the system was determined by 
selecting a random number between 0 and 15000 and adding it to 6500. The time 
required by the microprocessor to execute the program in RAM once is 15000 
nanoseconds. Therefore, the injection can occur with equal probability at any 
point in the program. The random numbers were obtained from a table of random 
numbers (ref. 7) and normalized to meet the boundary requirement. 
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TEST RESULTS 


During initial upset test runs, operation codes (op-codes) that are 
undefined in the microprocessor instruction set were loaded in the instruction 
register as a result of the injected transients. The simulation microprocessor 
model treated these undefined op-codes as "no operation" instructions. A 
program that makes use of the undefined op-codes was written and executed in 
hardware to determine the response of the microprocessor to such codes and 
modifications were made to the microprocessor model accordingly. Of the 12 
undefined codes 7 acted as one byte instruction and execution continued with 
the next immediate byte and 5 acted as control instructions with the next two 
bytes as part of the instruction. No attempt was made to reproduce with the 
microprocessor model the control output signals generated when the hardware 
microprocessor is executing the undefined opcodes. 

Sixty-six transient injections were performed during program execution. 
Each transient injection was performed on a single line at a time and in all 66 
cases the injected signal was the digital equivalent of a 1 MHz damped 
sinusoid. The points of the injections in the system were MDI q , MDI^, and MDI^ 
of the input data bus, DB q of the output data bus, D q of the bidirectional data 
bus, and MAD q of the memory address bus. 

During execution, the microprocessor bidirectional data bus, high and low 
address bus, system output data bus, and chip selection control lines were 
monitored, as well as the pins and internal registers of the microprocessor 
model. Locations in memory that were not used for the program were loaded with 
zero (00)^ in the simulation as opposed to the hardware test (ref. 5) where 
unused memory locations had random content. Therefore, when program control 
was transferred to a memory location out of the defined program, the no 
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operation instruction NOP (00) ^ was loaded and no undefined status word was 
observed during any of the transient injection runs. Forty-one system 
anomalies were registered including 2H errors and 17 upsets. System anomalies, 
errors and upsets for each injection line are summarized in table *1. In the 
error case, the microprocessor stored or loaded erroneous data, stored data in 
a nonspecified location or skipped an instruction but went back to the normal 
program loop. In the upset case, the microprocessor went out of the program 
loop to empty or nonexistent memory locations. Simulation test results on 
system errors and upsets as a function of injection lines were comparable with 
hardware results with the exception of the memory address line (MAD), where no 
errors or upsets were registered in 3^6 injections in the hardware test and 
seven errors and four upsets were recorded in 11 injections in the simulation 
test. Further tests are presently being performed to resolve the difference 
between hardware and simulation upsets caused by injections on the MAD line. 

Of 17 upsets, 13 were caused when the injection was performed during the jump 
instruction. These results point to an apparent higher susceptibility to upset 
of the program control instruction. Table 5 shows the classification of upsets 
and errors when the injections were performed during load (MVIA) , store (STA) 
and jump (JMP) . 


SUMMARY AND CONCLUSIONS 

The simplicity of the program executed during transient runs permitted 
observation of the patterns that lead to the upset condition. The upset 
susceptibility is highly dependent on program structure (ref. 3). When 1-bit 
of a. 3 _ byte instruction is changed, the instruction could become a 1-byte 
instruction, and the two next immediate data bytes are then loaded gs 
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instructions. This condition was observed 12 times during the 66 upset test 
runs and three of those cases led to upset. In total, 29 data bytes were read 
as instructions and the effect on the program flow depended on the data value, 
its location in the program, and the instruction immediately after the data 
byte or bytes. 

Although none of the test runs caused the original program in RAM to be 
partially or totally overwritten, the potential for overwriting programs was 
identified in the error cases when the microprocessor stored data in memory 
locations different from those specified. 

Results of the study can be used to obtain the parameters necessary for a 
stochastic model, similar to the stochastic model in reference 5, to compute 
susceptibility of the system. The methodology described provides the 
capability of performing upset tests and establishing an upset susceptibility 
level for a system using models developed during design stages. 
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TABLE 1 - FLIP-FLOP MODEL WITH GSP MICROCODE 


MODEL J K 

DECLARATION OF INTERNAL REGISTERS 
NO INTERNAL REGISTERS ARE NEEDED IN J K MODEL 


REG(1) DUMMY 

DECLARATION OF ALL EXTERNAL CONNECTIONS 
PIN EX(150) FOR SIMULATION CONTROL PURPOSES 

PIN J(1) ,K(2) ,Q (3) ,QBAR (4) ,CLK(5) ,EX( 150) 

PROPAGATION DELAY SPECIFICATION 


EVW 0UT(15) 


BEQ CLK, LATCH 
BEQ J ,K, INT 
MOV(OUT) J,Q 

MOV (OUT) K.QBAR 

MOV #0, EX 

INT: BEQ J, LATCH 

COM (OUT) Q 

COM (OUT) QBAR 

LATCH: MOV #0,EX 

END 


IF CLK EQUAL ZERO JUMP TO LATCH 
IF J EQUAL K JUMP TO INT 
GIVE Q THE VALUE OF J AFTER A 15 
NANO SECOND DELAY 

GIVE QBAR THE VALUE OF K AFTER A 15 
NANO SECOND DELAY 
TERMINATE THE EXECUTION OF 
THIS MODULE 

COMPLEMENT THE VALUE OF Q 
INSTRUCTION IS EXECUTED WHEN J=K 
COMPLEMENT THE VALUE OF QBAR. THIS 
INSTRUCTION IS EXECUTED WHEN J=K 
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TABLE 2 - PROGRAM CODE EXECUTED DURING INJECTION STUDIES 


CLOCK 

CYCLES 

ADDRESS 

INSTRUCTION 

MNEMONIC 

7 

10 00 

3E 

MVIA 


01 

CB 


13 

02 

32 

STA 


03 

19 



04 

10 


10 

05 

C3 

JMP 


06 

00 



07 

10 
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TABLE 3 - 8080 MACHINE CYCLES AND CORRESPONDING 8-BIT 
STATUS SIGNALS IN HEXADECIMAL FORMAT 


MACHINE CYCLE 


STATUS SIGNAL 


INSTRUCTION FETCH A2 
MEMORY READ 82 
MEMORY WRITE 00 
STACK READ 86 
STACK WRITE . 04 
INPUT 42 
OUTPUT 10 
INTERRUPT 23 
HALT 8A 
INTERRUPT WHILE HALT 2B 
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TABLE 4 - SYSTEM ANOMALIES AT EACH INPUT POINT ON THE 
SIMULATED SYSTEM UNDER TEST 


INPUT SYSTEM 


POINTS 

INJECTIONS 

ANOMALIES 

ERRORS 

UPSETS 

mdi 0 

11 (ID 

6 (11) 

2 (3) 

4 (8) 

MDI 3 

11 (ID 

4 (11) 

2 (0) 

2 (11) 

MDI 7 

11 (11) 

10 (11) 

7 (1) 

3 (10). 

D o 

11 (2) 

11 (2) 

6 (1) 

5 (1) 

MAD 

11 (346) 

11 (0) 

7 (0) 

4 (0) 

DB o 

11 (720) 

1 ( 0 ) 

1 (0) 

0 (0) 


66 

43 

25 

18 


( ) Hardware test results. 
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TABLE 5 

- UPSETS AND ERRORS 
DURING INSTRUCTION 

FOR TRANSIENT 
CYCLE 

INJECTIONS 



MVIA 

STA 

JMP 

TOTAL 

NO UPSET 

11 

10 

4 

25 

ERRORS 

14 

10 

0 

24 

UPSET 

1 

3 

13 

17 

TOTAL 

26 

23 

17 

66 
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FIG. 1 -METHODOLOGY FOR SUSCEPTIBILITY STUDY 









DAMPED SINUSOIDAL WAVEFORM 



1 1 MHz (±20%) 50 MAX AMPLITUDE DECREASES 

2 10 MHz (±20%) 5 MAX 25-50% IN 4 CYCLES 


DECAYING EXPONENTIAL WAVEFORM 



3 500 MAX 170 (±20%) 

4 100 MAX 2 (±20%) 


Fig. 2 - S.A.E. waveforms recommended for lightning-induced effects testing. 
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Fig. 3 - Transient generator circuit. 



Fig. 4 - Transient input signal on the flip-flop D line of a 
hardware setup using a tank injection circuit. 
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Fig. 5 - Transient input signal on the flip-flop D line of a modeled 
configuration using a modeled tank injection circuit. 
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Fig. 6 - Flip-flop response to the modeled transient injection circuit. 
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Flip-flop response to the idealized 
transient signal. 
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